Merge "Sepolicy: Give Otapreopt right to write A/B artifacts in /data" into nyc-dev

ff755159 · Andreas Gampe · Android (Google) Code Review · b6480a5e · c83614b6 · ff755159
Commit ff755159 authored 9 years ago by Andreas Gampe Committed by Android (Google) Code Review 9 years ago
--- a/otapreopt.te
+++ b/otapreopt.te
@@ -8,11 +8,21 @@ allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid
 # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
 # here and having to relabel the directory.
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(otapreopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(otapreopt, dalvikcache_data_file)
 # Write to /data/ota(/*). Create symlinks in /data/ota(/*)
 allow otapreopt ota_data_file:dir create_dir_perms;
 allow otapreopt ota_data_file:file create_file_perms;
 allow otapreopt ota_data_file:lnk_file create_file_perms;
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
+allow otapreopt dalvikcache_data_file:file create_file_perms;
 # Allow labeling of files under /data/app/com.example/oat/
 # TODO: Restrict to .b suffix?
 allow otapreopt dalvikcache_data_file:dir relabelto;